Share this story

A potential standard for securing network-connected pacemakers, automobiles, and other lightweight devices has suffered a potentially game-over setback after researchers developed a practical attack that obtains its secret cryptographic key.

Known as Algebraic Eraser, the scheme is a patented way to establish public encryption keys without overtaxing the limited amounts of memory and computational resources that often constrain so-called Internet of Things (IoT) devices. Developed by scientists from Shelton, Connecticut-based SecureRF, it's similar to the Diffie-Hellman key exchange in that it allows two parties who have never met to securely establish a key over an insecure channel.

The big advantage Algebraic Eraser has had is its ability to work using only a tiny fraction of the power and computing resources required by more traditional key exchanges. Algebraic Eraser has looked so promising that it's an underlying technology in ISO/IEC AWI 29167-20, a proposed International Organization for Standardization specification for securing radio frequency identification-enabled technologies, wireless sensors, embedded systems, and other devices where security is paramount and computing resources are minimal.

Now, academic researchers say the Algebraic Eraser suffers a weakness that's so severe it compromises the entire security of the proposed ISO standard when the Algebraic Eraser is used. To underscore their assessment, the researchers developed an attack that requires just eight hours to recover a shared 128-bit key negotiated using the Algebraic Eraser. (The shared key acts as the shared secret key that encrypts and decrypts data stored on a device.) With enhancements, they said, the attack can probably be carried out much more quickly. The underlying weakness means there could be potentially disastrous consequences if it's widely used.

"A key exchange might be used to secure the long-term key for an implanted medical device, say, or a networked vehicle," Simon Blackburn, a mathematics professor at Royal Holloway University of London and co-author of a paper titled A Practical Cryptanalysis of the Algebraic Eraser, wrote in an e-mail to Ars. "Compromising the key might allow malicious code to be inserted into the device or might allow the device to be remotely controlled by an adversary. I would not want a hacker to take control of my car or my pacemaker."

“Serious doubt”

In the paper, Blackburn—along with Bar-Ilan University mathematicians Adi Ben-Zvi and Boaz Tsaban—said they chose to examine Algebraic Eraser and a SecureRF-developed implementation of it called Colored Burau Key Agreement Protocol (CBKAP) because of its potential to become ubiquitous in the IoT landscape, where cars, medical devices, and many other traditional devices are connected to the Internet or similar types of networks.

"IoT is a growth area, where current widely accepted public key techniques struggle to operate due to tight efficiency constraints," they wrote. "It is likely that solutions which are efficient enough for these applications will become widely deployed, and the nature of these applications make system changes after deployment difficult. Thus, it is vital to scrutinise the security of systems such as the Algebraic Eraser early in the standardisation process, to ensure only secure schemes become ubiquitous."

The researchers went on to say that "because our attack efficiently recovered the shared key of the CBKAP for recommended parameter sizes, using parameters provided by SecureRF, we believe the results presented here cast serious doubt on the suitability of the Algebraic Eraser for the applications proposed."

In contrast to previous attacks on the Algebraic Eraser, Blackburn said the latest attack recovers the shared secret key directly from the public key of one user (usually referred to as "Alice" by cryptographers) and the messages exchanged between Alice and a second user (usually referred to as "Bob") rather than attempting to reconstruct the random information that Alice or Bob generated.

"The approach avoids the problems with a previous attack, which got stuck when trying to find part of this random information," Blackburn told Ars. "This new twist allows us to reduce the problem of breaking the scheme to linear algebra and a problem in small permutation groups."

No threat

SecureRF CEO and President Louis Parks told Ars he doesn't believe the attack is as practical as the recent paper reports, for several reasons. For one, he said the shared secret extraction technique doesn't scale. For another, he said, the attack won't work when different parameters are used for the cryptosystem, which he referred to as Algebraic Eraser Diffie-Hellman, or AEDH.

"Our conclusion is that this attack does not represent a threat to the practical deployment of AEDH in applications with properly chosen parameters," he wrote in an abstract to a research paper he said he plans to publish in response to the attack.

"It is apparent that we may have provided 'weak parameters' that were being used for internal testing and sent to the researchers when requested," Parks wrote. "We are addressing both this area of parameters and our process for approving secure parameters. But his attack does not claim to have 'broken' our method or recover any secret material. It claims to be able to recover a computed shared secret. If true, then like RSA and others, we will need to identify these weak parameters to our partners and ensure they are not used."

For his part, Blackburn said he was surprised to learn that Parks said the attack doesn't scale and doesn't work as well as reported in the paper. Blackburn said he also doesn't understand why SecureRF scientists would have provided parameters they didn't believe would withstand the new attack, and he's eager to see the final paper Parks has discussed. Several prominent mathematicians have taken to social media in recent days to echo Blackburn's claim that the new attack essentially breaks the Algebraic Eraser and renders it all but dead.

Until SecureRF has had time to present its final paper, such pronouncements are preliminary. But based on the new attack, it's clear that the drafters of ISO/IEC AWI 29167-20 should take a long, hard look at the Algebraic Eraser now. If that attack works the way Blackburn and his peers say it does, the time to address this crippling weakness is now—not when the underlying Algebraic Eraser is embedded in millions of devices.

Promoted Comments

I scanned through the arxiv article. Note that I'm not a mathematician, but even a cursory reading shows this is a direct attack.

The paper claims to demonstrate that if Eve (the attacker) intercepts the encrypted conversation, she can then *directly compute the encryption key*. The paper then proceeds to show exactly how to do so.

They broke a key within 8 hours using a single core on a CPU; the problem is trivially parallelizable, so doing this on a cluster would bring the time down substantially.

Upping the encryption parameters substantially might make this current attack impractical, but who knows whether embedded devices can even use much larger parameters, given device constraints?

As someone who's never heard of "Algebraic Eraser" before, can anyone please provide a real-world example of the approximate difference in the computational expense and/or memory footprint required for a typical handshake/key exchange between this and the alternatives? How many orders of magnitude are we talking?

According to this session paper by the Secure RF corporation, it looks like a 10-15x improvement in speed and a smaller improvement in memory over equivalent strength SEC/NIST elliptic curves (the hardware implementation difference is larger, but has just a single data point).

State-of-the-art elliptic curve algorithms can get a similar improvement over those curves on large computers, but I don't know if those improvements can be scaled down to the low performance processors targeted here.

I have long since operated under the assumption that everything is vulnerable, and arranged my electronic life around that assumption. I will forego a lot of supposed 'conveniences' that I have lived this long without, and reduce my vulnerabilities to as few essential services as possible and watch them closely.

So each new revelation of a show-stopping security blunder simply validates this attitude, and it will take a hell of a lot at this stage to change my mind.

One of the problems with attaching a business plan (SecureRF etc.) to an important decision like this one is that when all is said and done, promoters of a business plan will pretty much always choose their next paycheck over an admission that their business plan is a non-starter. Human society being what it is, we will politely continue the conversation and decision-making process without ever directly confronting the bald fact of this conflict of interests.

A ubiquitous crypto system of this kind is simply too important to allow the invisible, blind, idiot, groping hand of the market to iteratively fail. If a company such as SecureRF insists on being a part of this process, they should be prepared to face assertion of eminent domain and business liquidation in order to get them out of the picture and stop muddying the decision, for the good of the public interest. Risk, reward, all that.

61 Reader Comments

This is a lot worse than it sounds, assuming the attack is serious and can't be fixed by upping the parameters, as the researchers seem to think. Hacked routers are apparently now a realistic attack vector. If there's no good crypto on the device itself, an active MITM attack may be a lot easier than it sounds.

Isn't the history of low-power wireless devices littered with the shattered husks and dried corpses of cryptosystems whose primary virtue was compactness?

Between assorted RFID and pre-standardization-RFID-like things; assorted keyfobs for unlocking cars by remote, whatever is used in those 'speedpass' payment dongles; and so on, it seems like it's something of a damned genre.

Unfortunately, it's also one where people like to pick something and then embed it in enough widgets, card readers, door strikes, and whatnot that it'll be at least a decade before you can pick something else; so all errors are brutally persistent.

"You can't use the recommended parameters! You have to use this new set of parameters! Besides, we haven't had an attack that we know about yet."

Ok guys, real convincing.

That would be a bad enough attitude in a vendor selling software that you could push updates to as frequently as you want; and 'IoT' is a situation where it is expected that lots of software will go out and remain unchanged for the life of the device that it's embedded in. Under such circumstances the only responsible thing would be to run away screaming from anything that looks even potentially shaky; because you can be more or less certain that it will still be baked into things a decade from now.

As someone who's never heard of "Algebraic Eraser" before, can anyone please provide a real-world example of the approximate difference in the computational expense and/or memory footprint required for a typical handshake/key exchange between this and the alternatives? How many orders of magnitude are we talking?

SecureRF CEO and President Louis Parks told Ars he doesn't believe the attack is as practical as the recent paper reports for several reasons. For one, he said the shared secret extraction technique doesn't scale. For another, he said, the attack won't work when different parameters are used for the cryptosystem, which he referred to as Algebraic Eraser Diffie-Hellman, or AEDH.

Louis, I don't have as much knowledge about these things as you or even most Ars commenters. But here's what I see:

Researcher: This is insecure. Here's how.Louis Parks: NO IT'S NOT, YOU DID IT WRONG

Perhaps there's enough detail missing from the article, or from my understanding, but the perception is that you don't take this seriously, and that by itself causes me to mistrust your product.

For his part, Blackburn said he was surprised to learn that Parks said the attack doesn't scale and doesn't work as well as reported in the paper. Blackburn said he also doesn't understand why SecureRF scientists would have provided parameters they didn't believe would withstand the new attack, and he's eager to see the final paper Parks has discussed.

It's called spin and damage control. Is this guy new to how corporations work?

Why would he be surprised that a corporation who is trying to sell a patented technology into a standard would go into full spin mode after weaknesses are published? If AE is removed from the standard because it's crap, they lose all the potential FRAND royalty fees.

Ultimately this shouldn't come as a huge shocker. You're trying to make encryption simpler to run on less powerful hardware - this is almost certainly going to make it easier to crack when you put a large amount of computer processing power on it.

Add to this the fact that they seem to be making decisions based on their attachment to a certain method or concept of operation rather than basing them on what provides maximum possible security within their target objectives.

To be honest, I'm afraid any criptographic technique that will eventually be chosen to be used in IoT-class hardware will tend towards the weak side, due to the constraints represented by hardware and battery life (especially for wearable devices). Any adversary will have access to hardware orders of magnitude more powerful than anything powering an IoT device. At this point, the sanest thing to do would be to either force such devices towards existing secure standards, or towards one-way traffic standards, where the device at most can communicate its status but needs physical access for interaction.

For his part, Blackburn said he was surprised to learn that Parks said the attack doesn't scale and doesn't work as well as reported in the paper. Blackburn said he also doesn't understand why SecureRF scientists would have provided parameters they didn't believe would withstand the new attack, and he's eager to see the final paper Parks has discussed.

It's called spin and damage control. Is this guy new to how corporations work?

I suspect this is an exquisitely polite version of, "That's the most moronic thing I've ever heard and there's no way in hell they'll ever be able to back it up."

As someone who's never heard of "Algebraic Eraser" before, can anyone please provide a real-world example of the approximate difference in the computational expense and/or memory footprint required for a typical handshake/key exchange between this and the alternatives? How many orders of magnitude are we talking?

According to this session paper by the Secure RF corporation, it looks like a 10-15x improvement in speed and a smaller improvement in memory over equivalent strength SEC/NIST elliptic curves (the hardware implementation difference is larger, but has just a single data point).

State-of-the-art elliptic curve algorithms can get a similar improvement over those curves on large computers, but I don't know if those improvements can be scaled down to the low performance processors targeted here.

I scanned through the arxiv paper. Please note that I'm not a mathematician, but even a cursory reading shows this is a direct attack.

The paper claims to demonstrate that if Eve (the attacker) intercepts the encrypted conversation, she can then directly compute the encryption key. The paper then proceeds to show exactly how to do so. There's no mucking with side channels or guessing the state of the PRNG, this attack is as direct as they come.

They broke a key within 8 hours using a single core on a CPU; the problem is trivially parallelizable, so doing this on a cluster would bring the time down substantially.

Upping the encryption parameters substantially might make this current attack impractical (the paper claims otherwise), but who knows whether embedded devices can even use much larger parameters, given device constraints?

Some choice quotes directly from the paper:

Quote:

The attack scales well with size, so increasing parameter sizes will not provide a solution to the security problem for the CBKAP.

Quote:

The attack presented here takes a very different approach to the cryptanalysis of [8]. In particular, the attack recovers the shared key directly from Alice’s public key and the messages exchanged between Alice and Bob, rather than attempting to construct the random information that Alice or Bob generates.

Quote:

Not surprisingly, this attack is highly parallelisable. We did not exploit this fact since for the actual parameters a single CPU core sufficed.

This is as bad, if not worse than the original Nintendo DS only supporting WEP..

Encryption is not something to be taken lightly, and device manufacturers should always target the best known method at the time of production

Keep in mind the genesis of the hardware used in the DS goes back several years earlier. IIRC at the time of GBA development Nintendo had two options for their next handheld, they had a 3D platform that they had be developing at the time and then a second course of action was to build a 2D focused system again - they went with option 2 for cost and battery life reasons.

When the ideas for DS began kicking around Nintendo wasn't sure about the concept of two screens being a successful one, this is evident in them calling it a third pillar at the time and that it wouldn't be replacing the Game Boy line. This lack of certainty drove them go back to the potential 3D hardware and revise that project. We don't have a ton of information on what the original concept included - but 802.11 was being developed at the time, and 802.11b was ratified two years prior to the GBA's release (WPA wasn't available until 2003-2004). Due to the way Nintendo developed gaming hardware at the time and the potential origin of the hardware that could explain the WEP limitation.

As someone who's never heard of "Algebraic Eraser" before, can anyone please provide a real-world example of the approximate difference in the computational expense and/or memory footprint required for a typical handshake/key exchange between this and the alternatives? How many orders of magnitude are we talking?

According to this session paper by the Secure RF corporation, it looks like a 10-15x improvement in speed and a smaller improvement in memory over equivalent strength SEC/NIST elliptic curves (the hardware implementation difference is larger, but has just a single data point).

State-of-the-art elliptic curve algorithms can get a similar improvement over those curves on large computers, but I don't know if those improvements can be scaled down to the low performance processors targeted here.

What are you trying to tell with that graph? Relative resources required on the X-axis and public-key systems on the Y-axis - what does that mean? Public key systems are inversely proportional to relative resources required?

Not really. Way too easy for others to exploit. The cases where we know NSA has pushed for something weak they have been the only ones with the resources/position to exploit it.

Not really - NSA has pushed companies to hand over encryption keys and/or make products that the encryption can be compromised. If the NSA can get it then it is only a matter of time before others can get to it as well.

As someone who has never heard of Algebraic Eraser, I'm guessing from the picture/graph/figure that it's computationally expensive, since "Relative Resources Required" is the x-axis and is far

However, based on the article and its use in IoT, it seems like it's supposed to be cheap. Did I miss something?

I'm assuming that's a really, really stupid marketing genius's version of a graph. "Relative Resources Required" is really the title of the graph, which usually refers to the Y axis, and the things on the Y axis are actually the categories on the X axis, though it sort of works because it is a 1:1 function.

And of course the line makes it seem like a continuous function when it isn't.

I have long since operated under the assumption that everything is vulnerable, and arranged my electronic life around that assumption. I will forego a lot of supposed 'conveniences' that I have lived this long without, and reduce my vulnerabilities to as few essential services as possible and watch them closely.

So each new revelation of a show-stopping security blunder simply validates this attitude, and it will take a hell of a lot at this stage to change my mind.

Wait, is this a patented algorithm as stated in the article text, or in the public domain as stated on the slide at the end?

In this particular case they are using the words "Public Domain" not to refer to copyright/license/patent status but to refer to the fact that it's been in use in the 'public domain' (i.e non-military, non-government).

As someone who has never heard of Algebraic Eraser, I'm guessing from the picture/graph/figure that it's computationally expensive, since "Relative Resources Required" is the x-axis and is far

However, based on the article and its use in IoT, it seems like it's supposed to be cheap. Did I miss something?

I came to ask the same thing, as far as the article text is concerned, the axes labels are reversed.

Honestly it's just a terrible graph period. They're trying to represent a single-variable parameter (computational complexity) in a two-variable plot, and they're doing a patently awful job of it to boot.

Not really. Way too easy for others to exploit. The cases where we know NSA has pushed for something weak they have been the only ones with the resources/position to exploit it.

Not really - NSA has pushed companies to hand over encryption keys and/or make products that the encryption can be compromised. If the NSA can get it then it is only a matter of time before others can get to it as well.

There is no need for the NSA to care about what the secret key to your heart monitor or your coffee maker is.

This is not an attempt by the NSA to hack into our communications via a hidden backdoor. It's just a security product that has a potentially large flaw in it.

Wouldn't be the first time an ISO paper has been rushed. Just because everyone agrees to it by vote doesn't make it right, or even feasible. This just highlights that in actual practice this standard has been shown inadequate to the problems at hand.

I have long since operated under the assumption that everything is vulnerable, and arranged my electronic life around that assumption. I will forego a lot of supposed 'conveniences' that I have lived this long without, and reduce my vulnerabilities to as few essential services as possible and watch them closely.

So each new revelation of a show-stopping security blunder simply validates this attitude, and it will take a hell of a lot at this stage to change my mind.

One of the problems with attaching a business plan (SecureRF etc.) to an important decision like this one is that when all is said and done, promoters of a business plan will pretty much always choose their next paycheck over an admission that their business plan is a non-starter. Human society being what it is, we will politely continue the conversation and decision-making process without ever directly confronting the bald fact of this conflict of interests.

A ubiquitous crypto system of this kind is simply too important to allow the invisible, blind, idiot, groping hand of the market to iteratively fail. If a company such as SecureRF insists on being a part of this process, they should be prepared to face assertion of eminent domain and business liquidation in order to get them out of the picture and stop muddying the decision, for the good of the public interest. Risk, reward, all that.

Some guy (or woman) in a corner office in Fort Meade is no doubt thinking.

"Damn security researchers constantly expose the exploits we just discovered, we need to either hire these guys or send out bulk mailings of National Security Letter's about reporting anything we could have used to undermine cryptographic key standards. Would have been nice to have another way to shut off pacemakers or BMW brakes as needed".

As someone who has never heard of Algebraic Eraser, I'm guessing from the picture/graph/figure that it's computationally expensive, since "Relative Resources Required" is the x-axis and is far

However, based on the article and its use in IoT, it seems like it's supposed to be cheap. Did I miss something?

I believe it's "Relative Resources Required (to break)".

In other words, they're saying that the amount of resources required to break AE is a much higher multiplier of the resources required to implement it than the other listed products.

-----

In a separate issue, the slide at the end seems to claim that their product's security scales much better than others, relative to computational power.

If that were true, we'd be using it for *everything*, because if it's hard to break when run with parameters that work on a little battery operated whatsit, imagine how much resources would be required to break it when it was used on a plugged-in mutli-core server?

Ultimately this shouldn't come as a huge shocker. You're trying to make encryption simpler to run on less powerful hardware - this is almost certainly going to make it easier to crack when you put a large amount of computer processing power on it.

Not necessarily, if the math is good. EC is computationally easier than RSA, but just as difficult to crack (so far as is publicly known, at least). Or even if a method is not quite that strong, it just has to be good enough to be economically unfeasible a decade from now. (It's not like anything is built to last a decade anymore anyway.) in this case the math is simply broken.

Not that the actual encryption method matters much if the rest of the cryptosystem is full of holes. Any bets on how many devices will be shipped with the same private key burned in?

SecureRF CEO and President Louis Parks told Ars he doesn't believe the attack is as practical as the recent paper reports for several reasons. For one, he said the shared secret extraction technique doesn't scale. For another, he said, the attack won't work when different parameters are used for the cryptosystem, which he referred to as Algebraic Eraser Diffie-Hellman, or AEDH.

Louis, I don't have as much knowledge about these things as you or even most Ars commenters. But here's what I see:

Researcher: This is insecure. Here's how.Louis Parks: NO IT'S NOT, YOU DID IT WRONG

Perhaps there's enough detail missing from the article, or from my understanding, but the perception is that you don't take this seriously, and that by itself causes me to mistrust your product.

This reminds of I believe it was a research group at Microsoft that determine was broken, I believe it was the encryption in a SQL'ish product, and the response from the team responsible for the product, basically was exactly that "Hey! You can't use our example to determine if the encryption works or not!"

I forget the product name but it used heavily as full-encryption solution to protect Personal Identity information.

SecureRF CEO and President Louis Parks told Ars he doesn't believe the attack is as practical as the recent paper reports for several reasons. For one, he said the shared secret extraction technique doesn't scale. For another, he said, the attack won't work when different parameters are used for the cryptosystem, which he referred to as Algebraic Eraser Diffie-Hellman, or AEDH.

Louis, I don't have as much knowledge about these things as you or even most Ars commenters. But here's what I see:

Researcher: This is insecure. Here's how.Louis Parks: NO IT'S NOT, YOU DID IT WRONG

Perhaps there's enough detail missing from the article, or from my understanding, but the perception is that you don't take this seriously, and that by itself causes me to mistrust your product.

This reminds of I believe it was a research group at Microsoft that determine was broken, I believe it was the encryption in a SQL'ish product, and the response from the team responsible for the product, basically was exactly that "Hey! You can't use our example to determine if the encryption works or not!"

I forget the product name but it used heavily as full-encryption solution to protect Personal Identity information.

Not really. Way too easy for others to exploit. The cases where we know NSA has pushed for something weak they have been the only ones with the resources/position to exploit it.

Not really - NSA has pushed companies to hand over encryption keys and/or make products that the encryption can be compromised. If the NSA can get it then it is only a matter of time before others can get to it as well.

There is no need for the NSA to care about what the secret key to your heart monitor or your coffee maker is.

This is not an attempt by the NSA to hack into our communications via a hidden backdoor. It's just a security product that has a potentially large flaw in it.

Lets just hope this encryption method is dead in the water, which is precisely the reason NOBODY should attempt to come with their solution, not even self proclaimed encryption experts.

I do realize we are running out of good solutions that are not broken, but many of the problems that do exist with the more relative safer solutions can be solved by just expanding the key size to 8 to 12 times their current size.

SecureRF CEO and President Louis Parks told Ars he doesn't believe the attack is as practical as the recent paper reports for several reasons. For one, he said the shared secret extraction technique doesn't scale. For another, he said, the attack won't work when different parameters are used for the cryptosystem, which he referred to as Algebraic Eraser Diffie-Hellman, or AEDH.

Louis, I don't have as much knowledge about these things as you or even most Ars commenters. But here's what I see:

Researcher: This is insecure. Here's how.Louis Parks: NO IT'S NOT, YOU DID IT WRONG

Perhaps there's enough detail missing from the article, or from my understanding, but the perception is that you don't take this seriously, and that by itself causes me to mistrust your product.

This reminds of I believe it was a research group at Microsoft that determine was broken, I believe it was the encryption in a SQL'ish product, and the response from the team responsible for the product, basically was exactly that "Hey! You can't use our example to determine if the encryption works or not!"

I forget the product name but it used heavily as full-encryption solution to protect Personal Identity information.